Defining the steps one must complete to achieve one's goals is the first step in many higher endeavors. When the endeavor is achieving a certain level of security on an IBM i server or any other kind of IT system, the goals are put down on paper in the form of a detailed security policy. For organizations that are looking to bolster their IBM i security practices but don't know where to start, PowerTech provides a free, downloadable IBM i security policy template to get them going.

It is hard to believe, but many IBM i shops today don't have security policies, which, unfortunately, is just one of many security failings at IBM i shops. These organizations are flying blind by the seat of their administrator's pants, hoping they don't have a security problem (presuming they could detect it in the first place). Without a security policy to go by, it's very difficult for an organization to practice any kind of rigor in pursuit of higher security. In other words, a security policy is the foundation block of all security practices, and without it, no security structures can be built on top of it.

That's not to say every company needs a Fort Knox-like security policy. Each organization's security policy is a unique reflection of the risks they are willing to take. A small company with just a dozen users accessing an IBM i server with no ODBC, FTP, or HTTP links outside the firewall will require a much simpler security policy than a national retailer handling billions of dollars of electronic transactions, which must adhere to the strict PCI DSS requirements.

But any organization that values its data--and its relationship with customers who are represented by that data--should have, at the very least, a semblance of a security policy. For IBM i shops that don't, PowerTech's "OS/400 Security Policy" provides a good place to start.

The 13-page security policy is broken down into various sections, such as physical security, data access security, user profile security, etc. Many of the entries are no-brainers, such the computer must be located in a secure room. It seems simple to say, but without a lock on the office or computer room door, no security can be achieved.

PowerTech's policy provides examples for how IBM i should be configured for security. Some of the recommendations are quite detailed, and some administrators may choose to have stricter or more lenient settings, depending on their particular needs. The document does not provide a complete security policy, but is a starting point for developing a custom security policy.

PowerTech will be updating the policy in the near future, and welcomes suggestions and submissions from the IBM i community, according to an August blog posting by PowerTech's director of security technologies Robin Tatam.

"This popular document will continue to be a free resource to the IBM i security community, and we invite anyone to download, edit, and return the changes to us for possible (and credited) inclusion in a future edition," Tatam writes.

You can obtain PowerTech's OS/400 Security Policy as a free PDF download from its website at www.powertech.com.